Back in the early days of the internet, when the world wide web only started becoming a thing in some households, phishing was easy. In the late 1990s phishing became so rampant that we wonder how stupid people must have been back then to fall for such lame traps! But simple ideas were enough then because people were not aware of the possible threat until it was too late.
Phishing starts by luring people through simple emails to websites. Even the font does not follow the standard alphabetical process but they use a substitution cipher in the CSS code. The logos they use of the real banks are now also added in through SVGs (scalable vector graphics). That make it very hard to detect.
Jump to the present day where the world has already learned to survive massive attacks from ransomware like WannaCry in 2017, and perilous games like the “BlueWhale” since 2016. Generally, people are much smarter. We know about cyber crime, we know about cyber security, yet many still get in trouble. We need to equip ourselves better for 2019.
Knowledge is power
Yeah, we know, “Power is power.” But boring as it sounds, in the battle against phishing, knowledge is power. Knowing about the types of attacks that are trending, or the common elements that can help recognize a potential phishing attack from a distance, will help stay prepared should the need arise.
Types of phishing that will be common in 2019
The following four techniques may be the commonest phishing techniques this year. There will be more. But you will develop a knack for sniffing them out once you have made yourself familiar with these techniques.
1] The messaging apps route
People are moving on to Messenger, WhatsApp, Teams, and Slack, even for corporate collaborations. Hackers will follow wherever you go. Not everyone knows what a phishing email looks like. Getting through to an account via messaging apps is easier for a hacker because these apps do not come with inbuilt link scanning or malware detection features.
2] SaaS credentials route
Expect more attacks coming from Dropbox, Amazon Web Services, Google Apps, or the Office 365 front. This route is not only popular because it isn’t an outdated trick. It is very effective because a single successful attempt can give the hacker access to all the accounts and files associated with the original hacked account.
3] Interactive BEC route
Business email compromise (BEC) attacks are tricky. They don’t come with the telltale signs of a suspicious link or attachment. It will look like a genuine message from someone at work. To make it more convincing, BEC attacks enable real-time interaction.
If the victim does not organically verify the authenticity of the messages, they might end up giving classified files to the hacker. All the hacker needs to do is do some focused research, establish trust as a co-worker or employer, and directly ask for what they need.
4] Shared files route
Emails are automatically setup with virus and malware scans. Hence, hackers are making a move in the direction of shared files via OneDrive, Dropbox, and the likes. Instead of putting the malicious link directly in the email, the hacker will put it in the counterfeit file that looks like a legitimate file on the shared network.
This malicious URL will slip through the email’s inbuilt malware detection scans because it is shared via a trusted file sharer platform. If an unexpected login page appears when trying to open a shared file, stop right there.
Learning the way around all the attacks
The good news is, the methods to dodge common phishing attacks coming in 2019, are all very simple. Here is what to do:
- Ignore random SaaS account breach warnings from unknown sources. To verify a possible breach, follow legitimate pathways and not the one that has popped up on the screen.
- Turn on multi-factor authentication for all accounts, and for everybody in an organization. This is something that should be in place already, by the way.
- Verify organically, or over a different messaging app or corporate channel whether a work acquaintance asked for a particular file. Practice channel switching for money and file transfers. If a colleague asks for something over a platform, send it over a different platform to ensure the safety of confidential data.
- Investigate all third-party apps and tools and add exclusive security features for all these channels. Update the security regularly.
Mass Spear Phishing
This technique deserves exclusive mention because spear phishing takes dedication and money. The hackers going for this route, are talking serious business. They will trace the digital footprint of the intended victim; maybe even stalk them to find out personal details. In this case, they will have one high profile victim.
Recent attacks like the Marriott phishing scam and the shame scam are examples of mass spear phishing. Here is how to recognize the pattern in this giant monster of a phishing attack:
- The setup: To get the attention of the intended victims.
- Curiosity: Slipping some personal info like username and passwords so that the victim feels the urge to open the mail.
- Trust: Elements similar to original company name or username will make the victim trust the link.
- Fear: A warning of an attack, or a blackmail intent like in the shame scams, something to scare the victim.
- Conversion: Malware might be downloaded or a payment gateway might open if it is ransomware.
Fighting spear phishing with Wuvavi
Threats, or promises of a prize, these are the indications for the real threat. Instead of acting upon the fear, we need to take these spear phishing attempts by the horns.
With the exclusive cyber security awareness platform from Wuvavi, small and medium level businesses can develop a cyber aware environment. Wuvavi’s free phishing attack simulations help people figure out exactly what to do in case of a real attack. Complete the training and receive certifications for enterprise grade cyber security training.